> Am 05.08.2024 um 20:22 schrieb WATANABE Takeo <t...@kasaneiro.jp>:
>
> Hi,Souji-SAN.
>
> Thank you so much for your advice.
> We will reply to you in due course.
>
>
> on Sun, 04 Aug 2024 19:56:38 +0100
> "Souji Thenria" <m...@souji-thenria.net> wrote:
>
>> On Sun Aug 4, 2024 at 4:36 PM BST, WATANABE Takeo wrote:
>>> I am having trouble because all packets are blocked.
>>> Please see below for a description of the problem.
>>> I would appreciate it if you could point out any problems.
>>
>> The config looks ok so far; I don't see any problems.
>>
>> Can you run 'pfctl -s rules' and send the command output?
>> You can also run 'tcpdump' on the interface. Can you see in-coming or
>> out-coming packages for your specified ports?
>
> We are sending you the results of the "pfctl -s rules" run,
> the results of the "pfctl -vnf /etc/pf.conf" run
> and the original "pf.conf" as attachments, just in case.
>
> The results of "pfctl -s rules" were difficult for me to understand,
> I am ashamed to say. As an example of what I understood,
> I also send you the result of "pfctl -vnf /etc/pf.conf".
>
> I found the result of "tcpdump -n -e -ttt -r /var/log/pflogd" to be
> Most of them were DNS packets (IN/OUT).
> # This host is an authoritative DNS server, so I think it is natural.
>
> Is it possible to understand the situation with these results?
> We look forward to your reply.
>
> Best regards,
>
> ---
> WATANABE, Takeo
> t...@kasaneiro.jp
> tcp_services="{ http, https, domain, smtp, smtps, msa, imaps, 1522 }"
> udp_services="{ domain, ntp }"
>
> set block-policy drop
> set loginterface vio0
>
> # don't filter on loopback interface
> set skip on lo0
>
> # set up a default deny policy
> block all
>
> # Blocking Spoofed Packets
> antispoof quick for vio0
>
> # Allow packets
> pass log quick on vio0 proto tcp to any port $tcp_services keep state
> pass log quick on vio0 proto udp to any port $udp_services keep state
>
> # Allow ICMP Packets
> pass quick on vio0 proto icmp to any keep state
>
> moegi# pfctl -vnf /etc/pf.conf
> tcp_services = "{ http, https, domain, smtp, smtps, msa, imaps, 1522 }"
> udp_services = "{ domain, ntp }"
> set block-policy drop
> set loginterface vio0
> set skip on { lo0 }
> block drop all
> block drop in quick on ! vio0 inet6 from 2001:e42:102:1808::/64 to any
> block drop in quick on vio0 inet6 from fe80::9ea3:baff:fe02:a73 to any
> block drop in quick inet6 from 2001:e42:102:1808:160:16:212:251 to any
> block drop in quick on ! vio0 inet from 160.16.212.0/23 to any
> block drop in quick inet from 160.16.212.251 to any
> pass log quick on vio0 proto tcp from any to any port = 80 flags S/SA
> pass log quick on vio0 proto tcp from any to any port = 443 flags S/SA
> pass log quick on vio0 proto tcp from any to any port = 53 flags S/SA
> pass log quick on vio0 proto tcp from any to any port = 25 flags S/SA
> pass log quick on vio0 proto tcp from any to any port = 465 flags S/SA
> pass log quick on vio0 proto tcp from any to any port = 587 flags S/SA
> pass log quick on vio0 proto tcp from any to any port = 993 flags S/SA
> pass log quick on vio0 proto tcp from any to any port = 1522 flags S/SA
> pass log quick on vio0 proto udp from any to any port = 53
> pass log quick on vio0 proto udp from any to any port = 123
> pass quick on vio0 proto icmp all
> moegi#moegi# pfctl -s rules
> block drop all
> pass out inet proto icmp all icmp-type echoreq
> pass out inet proto udp from any port = 68 to any port = 67
> pass out proto tcp from any to any port = 53 flags S/SA
> pass out proto udp from any to any port = 53
> pass out inet6 proto ipv6-icmp all icmp6-type neighbrsol
> pass in proto tcp from any to any port = 22 flags S/SA
> pass in inet proto udp from any port = 67 to any port = 68
> pass on lo0 all flags S/SA
> pass inet6 proto ipv6-icmp all icmp6-type neighbradv no state
> pass out inet6 proto ipv6-icmp all icmp6-type routersol
> pass out inet6 proto udp from any port = 546 to any port = 547
> pass in inet6 proto ipv6-icmp all icmp6-type routeradv
> pass in inet6 proto udp from any port = 547 to any port = 546
> pass in proto carp all keep state (no-sync)
> pass out proto carp all !received-on any keep state (no-sync)
> moegi#
Your config, the result of `pfctl -vnf /etc/pf.conf` and the result of `pfctl
-sr` do not match. Did you actually load your config (`pfctl -f /etc/pf.conf`,
i.e. without -n)? -n only checks the config without loading it.
The loaded rules as returned by `pfctl -sr` would not allow much of your
desired traffic. However they do allow NDP traffic.
Your vio0 interface seem to have IPv6 and IPv4 addresses. So you probably need
to to allow NDP traffic and your probably want to allow ICMPv6 echo as well.
One more debugging tip: Temporarily turn off pf to see if your issues are
caused by your pf rules. `pfctl -d`. Then test and turn it back when done
testing (`pfctl -e`).
Note (mainly for other readers): This tip works in your case, but not if NAT or
forwarding rules are used.
PS. Do you have console access to the host? If not there is a good chance that
you might shoot yourself in the foot with incorrect rules and loose access to
the machine.
PPS. Your loaded rules allow SSH on port 22. Your desired rules would allow SSH
on port 1522. Is your sshd actually listening on these ports? Oh and if you
want to access other hosts from your machine that use port 22 using SSH then
your new rules are missing an outgoing rule for that. One reason for mostly
allowing all outgoing traffic and only deal with incoming packets in the rules.
HTH
Mike
